CVSS 3.1 Score 6.5 of 10 (medium)


Published Nov 10, 2023
Updated: Nov 16, 2023
CWE ID 384


The vulnerability with CVE ID CVE-2023-46733 affects the Symfony PHP framework versions 5.4.21 and 6.2.7, and prior to versions 5.4.31 and 6.3.8. The issue lies in the SessionStrategyListener, which fails to migrate the session after every successful login when the user identifier remains unchanged but the token changes from partially-authenticated to fully-authenticated. This results in a potential session fixation vulnerability as the session id is not regenerated as it should be. The remediation for this vulnerability is to update Symfony to versions 5.4.31 or 6.3.8 or later, where Symfony now checks the type of token in addition to the user identifier before deciding whether to regenerate the session id. This vulnerability has a base severity of MEDIUM with an exploitability score of 2.8 and an impact score of 3.6, posing a potential risk to organizations using vulnerable versions of Symfony in terms of integrity impact on their sessions.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-46733 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options